Newer posts are loading.
You are at the newest post.
Click here to check if anything new just came in.

April 21 2011

ePayments Week: Where adds context to PayPal

Here's what caught my attention in the payment space this week.

EBay buys a hyper-local friend for PayPal

WhereEBay's purchase of Where, a mobile app for finding local deals, gives the gift of context to PayPal. It's the second deal in recent weeks that connects a payment provider with a check-in service or advertiser to make a complete loop from discovery to payment. FourSquare demoed a similar link-up at SXSW last month. EBay will bring the whole deal in house, integrating PayPal into the Where app so that users can discover deals in Where and then pay for them with a single click. Erick Schonfeld at TechCrunch offers a solid rationale for the purchase, and also notes the data play inherent in it. All that data that eBay has on its and PayPal's users could help Where server up more relevant offers and advertising to PayPal's users.

PayPal explained the deal in the context of other acquisitions it's making. Amanda Pires, PayPal's senior director of global communications, said in a blog post that "Local commerce companies like Where are blurring the lines between in-store and online shopping." Last month, EBay made another purchase that similarly crossed lines when it said it would buy GSI Commerce, a provider of e-commerce services for retail brands. That deal could eventually put PayPal at the register of physical stores. With the Where acquisition, now they'll have a way to get you to the store, too.

O'Reilly authors discuss iPhone's built-in travel log

iPhone trackThis week's big news in geolocation came from Alasdair Allan and Pete Warden, who reported their discovery of an unencrypted file on iPhones (and their synced computers) tracking their movements since they upgraded to iOS4 sometime last summer.

Allan and Warden discussed their discovery at Where 2.0 on Wednesday. Although Apple had yet to offer an explanation of the file to them (or to media inquiries), Allan and Warden said they speculated that the data was from interactions between the phone and radio cell towers, whether that was a call, a text, a data packet, or simply a locating signal. For Allan, it added up to 29,000 points of data over 293 days.

As both hastened to point out, telecom carriers already have this kind of information on you, regardless of what kind of phone you carry. But that data is treated with a higher level of security, since it's considered sensitive. "What's interesting about this data is that it's unencrypted and available," said Allan. "It's insecure." (See Alasdair's post for more details on the discovery and the open source app they created to manipulate and visualize the data.)

Responding to comments that this data had already been discovered and was well known, Allan said during a Where 2.0 session: "It's not well known. We're pretty geeky. If we didn't know, then a lot of people didn't know."

White House calls for identity ecosystem

Just days before Barack Obama headed out to Palo Alto to host a virtual town hall meeting in the real-world space that houses Facebook's headquarters, the White House backed a plan to spur private industry to create more secure forms of online identity. Noting that identity theft and online fraud are serious problems that cost the economy billions every year, the administration called on private industry to come up with a solution that might free the citizenry from the tyranny of dozens of username/password combinations.

Kashmir Hill on wrote that the government's aim is to create an "identity ecosystem," which sounds a lot like the plan that OpenID has been advocating for a while. Emily Badger on looked closely at the line the administration is walking between showing leadership or looking like Big Brother. Badger talked with Amie Stepanovich, national security counsel for the Electronic Privacy Information Center in Washington. The interview gives the sense the White House tiptoed carefully around this point, making sure it wasn't suggesting a government-issued national online identity number (something that's been kicked around before but wouldn't be received well by most citizens) and scrubbing any sign of the Department of Homeland Security's involvement (even though, Badger notes, they've been involved in the formative thinking on this issue for years).

Any authentication system raises new risks. If a security key fob is necessary, like the ones provided by RSA, people will lose it. Mobile phones could be used, too, but they're just as easy to lose. Biometrics tap a validation mechanism that's harder to lose, but it's not clear whether people are willing to put up with a retina scan just to access their Netflix queues.

Got news?

News tips and suggestions are always welcome, so please send them along.

If you're interested in learning more about the payment development space, check out PayPal X DevZone, a collaboration between O'Reilly and PayPal.


December 20 2009

Being online: Your identity online--getting down to basics

What men daily do, not knowing what they do!

(This post is the third in a series called "Being online: identity, anonymity, and all things in between.")

Previous posts in this series explored the various identifies
that track you in real life. Now we can look at the traits that
constitute your identity online. A little case study may show how
fluid these are.

One day I drove from the Boston area a hundred miles west and logged
into the wireless network provided by an Amherst coffee shop in
Western Massachusetts. I visited the Yahoo! home page and noticed that
I was being served news headlines from my home town. This was a bit
disconcerting because I had a Yahoo! account but I wasn't logged into
it. Clearly, Yahoo! still knew quite a bit about me, thanks to a
cookie it had placed on my browser from previous visits.

[A cookie, in generic computer jargon, is a small piece of data that a
program leaves on a system as a marker. The cookie has a special
meaning that only the program understands, and can be retrieved later
by the program to recall what was done earlier on the system. Browsers
allow web sites to leave cookies, and preserve security by serving
each cookie only to the web site that left it (we'll see in a later
section how this limitation can be subverted by data gatherers).]

Among the ads I saw was one for the local newspaper in my town.
Technically, it would be possible Yahoo! to pass my name to the
newspaper so it could check whether I was already a
subscriber. However, the

Yahoo! privacy policy

promises not to do this and I'm sure they don't.

As an experiment, I removed the Yahoo! cookie (it's easy to do if you
hunt around in your browser's Options or Preferences menu) and
revisited the Yahoo! home page. This time, news headlines for Western
Massachusetts were displayed. Yahoo! had no idea who I was, but knew I
was logging in from an Internet service provider (ISP) in or near

What Yahoo! had on me was a minimal Internet identity: an IP address
provided by the Internet Protocol. These addresses, which usually
appear in human-readable form as four numbers like, bear no
intrinsic geographic association. But they are handed out in a
hierarchical fashion, which allows a pretty good match-up with
location. At the top of the address allocation system stand five
registries that cover areas the size of continents. These give out
huge blocks of addresses to smaller regions, which further subdivide
the blocks of addresses and give them out on a smaller and smaller
scale, until local organizations get ranges of addresses for
their own use.

Yahoo! simply had to look up the ISP associated with my particular IP
address to determine I was in Western Massachusetts. But the
technology is a bit more complicated than that. I was actually
associated with three IP addresses--a complexity that shows how the
fuzziness of identity on the Internet extends even to the lowest
technological levels.

First, when I logged in to the coffee shop's wireless hub, it gave me
a randomly chosen IP address that was meaningful only on its own local
network. In other words, this IP address could be used only by the
hub and anyone logged in to the hub.

The hub used an aged but still vigorous technology known as Network
Address Translation to send data from my system out to its ISP. As my
traffic emanated from the coffee shop, it bore a new address
associated with the coffee shop's wireless hub, not with me
personally. All the people in the coffee shop can share a single
address, because the hub associates other unique identifiers--port
numbers--with our different streams of traffic.

But the ISP treats the coffee shop as the coffee shop treats me. The
coffee shop's own address is itself a temporary address that is
meaningful to the local network run by the ISP. A second translation
occurs to give my traffic an identity associated with the ISP. This
third address, finally, is meaningful on a world scale. It is the only
one of the three addresses seen by Yahoo!.

However, an investigator (hopefully after getting a subpoena) could
ask an ISP for the identity of any of its customers, submitting the
global IP address and port numbers along with the date and time of
access. The coffee shop didn't require any personal information before
logging me in and therefore could not fulfill an investigator's
request, but a person doing illegal file transfers or other socially
disapproved activity from a home or office would be known to the hub
system and could therefore by identified--so long as logfiles with
this information had not been deleted from the hub.

The combination of IP address, port numbers, and date and time allows
the Recording Industry Association of America to catch people who
offer copyrighted music without authorization. And this technological
mechanism underlies the European Union requirement for ISPs to keep
the information they log about customer use, as mentioned in the first
section of this article.

If I want to hide this minimal Internet identity--the IP address--I
have to use another Internet account as a proxy. In the case of my
visit to Western Massachusetts, I was protected by logging in
anonymously to a coffee shop, but in some countries I'd be required to
use a credit card to gain access, and therefore to bind all my web
surfing to a strong real-world identity. Many European countries
require this form of identification, outlawing open wireless networks.

To generalize from my Amherst experiment, the information we provide
as we use the Internet is very limited, and can be limited even
further through simple measures such as removing cookies (a topic
covered further in a later section of this article). But what the
Internet still allows can be used in a supple manner to respond
instantly with ads and other material--such as the nearest coffee shop
or geographically relevant weather reports--that are hopefully of
greater value than the corresponding material in print publications we

This post has explored the use of IP addresses metaphorically, as
well as illustratively, to show how our Internet identity is
context-sensitive and can change utterly from one setting to another.
Usually, we provide more of a handle to the people we communicate with
over email, instant messaging, forums, and so forth. Here too we have
multiple identities and spend hours collecting each other's handles.

Email, the oldest form of personal online communication, ironically
has one of the better hacks for combining identities. You email
accounts can be set up to forward mail, so that mail to the address
you kept from your alma mater goes automatically to your work address.

In contrast, you can't use your AIM instant message account to contact
someone on MSN, so you need a separate account on each IM service and
no one will know they all represent you unless you tell them. Twitter
is experimenting with ways to assure users that accounts with
well-known names are truly associated with the people after which
they're named.

If IM services all agreed to use XMPP (or some other protocol) you
could reduce all your IM accounts to one. And if every social network
supported OpenSocial, you could do a lot of networking while
maintaining an account on just one service.

A widely adopted protocol called OpenID allows one identity to support
another: if you have an account on Yahoo! or Blogger you can use it to
back up your assertion of identity on another site that accepts their
OpenID tokens. OpenID and related technologies such as Information
Card don't validate your existence or authenticate the personal traits
you have outside the Internet, but allow the identity you've built up
on one site to be transferable.

My next post shows how the minimal elements of online identity
have been expanded by advertisers and other companies, who combine the
various retrievable polyps of our identity. Following that, we'll see
how we ourselves manipulate our identities and forge new ones.

The posts in "Being online: identity, anonymity, and all things in between" are:

  1. Introduction

  2. Being online: Your identity in real life--what people know

  3. Your identity online: getting down to basics (this post)

  4. Your identity to advertisers: it's not all about you (to be posted December 22)

  5. What you say about yourself, or selves (to be posted December 24)

  6. Forged identities and non-identities (to be posted December 26)

  7. Group identities and social network identities (to be posted December 28)

  8. Conclusion: identity narratives (to be posted December 30)

Older posts are this way If this message doesn't go away, click anywhere on the page to continue loading posts.
Could not load more posts
Maybe Soup is currently being updated? I'll try again automatically in a few seconds...
Just a second, loading more posts...
You've reached the end.
Get rid of the ads (sfw)

Don't be the product, buy the product!